[rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT02

[JORDI PALET MARTINEZ]

Hi Lamiaa,

 

The separate TAL makes this service an opt-in one, so even in case of errors, the impact can be avoided.

 

Actually, the staff can also make the mistake in the existing TAL, or completely drop the RPKI certificates, etc., right? So, what is the difference? This is an operational problem that *all* the RIRs try to avoid. NOBODY is perfect, but objecting to a proposal for improving overall routing security by stating that “it is subjected to errors” is like saying “we should not have a whois, because it can be broken or have mistaken information”. Do you still think is a valid argument or should we drop all the policies because all may have operational errors?

 

A global policy could only cover the unallocated space in the hands of IANA. Do not worry about that, I’m preparing a policy proposal for that already!

 

Your comment about Ernest case is not a valid objection, because as Madhvi explained, before going into the RPKI, is taken from the whois, so even if the RPKI doesn't exist, the case can happen again, exactly the same. And I’m sure, following Eddy emails, that they have taken sufficient measures to avoid that happening.

 

Regards,

Jordi

@jordipalet

 

 

 

El 17/9/20 11:00, "Lamiaa Chnayti" <lamiaachnayti at gmail.com> escribió:

 

Hey everyone,

 

I, on the other hand, am having issues with this policy due to the following reasons :

 
- It potentially can turn registration error into operation disaster, if Afrinic mistakenly labour one of the member’s ip into their own pool, it has a great chance for end users to lose their connection vs just a wrong registration data.

- RPKI for unallocated space is rather a global policy issue rather than a regional policy issue, all regions should have the same view on the topic, if only AFRINIC implements it, it will create an operational inconsistency.

- There is a potential huge risk that will be created if Ernest’s case happens again, AFRINIC’s own staff potentially has the power to rob other members space by “AS0” it.
 
Regards,
 
Lamiaa
 

 

 

Le jeu. 17 sept. 2020 à 09:04, Mark Elkins <mje at posix.co.za> a écrit :

I support the RPKI ROA policy as written. I understand the technical aspects of the policy. I have a feeling that those objecting may not completely understand the technical aspects which is why they are objecting.

AFRINIC's job is to properly document the resources they have been provided by ICANN/IANA and this is simply part of the job. When new resources are provided to AFRINIC, they label it as such (AS0, etc). When it is then allocated/assigned to a member, the AS0 RPKI is removed. All this means is that the unallocated/unassigned resources that are with AFRINIC can be (optionally) identified as such and thus can not be easily misused by bad actors. This also means that when they are allocated/assigned to members, they are less lightly to have been made "dirty".

On 2020/09/17 08:26, Ibeanusi Elvis wrote:

Dear all,  

 

The AFRINIC as an organization specifically focuses on the registration database and thereby having knowledge of where the prefix belongs to and AFRINIC should just focus on this role and should not engage in authenticating or the authorization of various services. If such rights are given to any organization, they have the right to assign prefixes to servers hence, having control of the routing database at which a technical or human error will lead to an immense catastrophe to the internet society. This control is basically the specific definition of centralization. This centralization is the major reason why most providers do not trust the Resource Public Key Infrastructure (RPKI). I am still in opposition to this policy proposal. 

 

Elvis. 

 

On Thu, Sep 17, 2020 at 3:01 PM Darwin Costa <dc at darwincosta.com> wrote:

Cmon folks….! 

 

@Elvis, I really don’t see your point here and also don’t really understand why are you opposing against this proposal.

 

As mentioned further on the thread - RPKI won’t change Afrnic´s role at all…. Instead this proposal will certainly contribute to a more secure routing advertisement.

 

As such, other RIR´s have successfully implemented this in order to protect our garden so called “The Internet”.

 

Darwin-.

 

 



On 17 Sep 2020, at 05:42, Fernando Frediani <fhfrediani at gmail.com> wrote:

 

I think there is a serious issue by some people totally misunderstanding what RPKI actually is.

Some arguments saying something like 'Afrinic will centralize control of the internet and should not have such power' don't have relation to what what this proposal intends and the reasons to oppose it are not tied to real possible problems pointed.

This proposal only follows what have been done in APNIC and LACNIC and is a natural move to make an internet more secure and avoid organizations to use space that is not assigned to anyone else.
Therefore I support this proposal.

Fernando

On 16/09/2020 20:42, Noah wrote:

 

On Thu, Sep 17, 2020 at 2:30 AM Ibeanusi Elvis <ibeanusielvis at gmail.com> wrote:

 

I am strongly in opposition to this RPKI ROA proposal,

 

You oppose yet....

 

 issuing an AS0 for AFRINIC address space 

 

You must be clear on which AFRINIC address space rather than presenting a rather vague statement. 

 

The proposal is very clear and explicit and the AFRINIC space in question is that which has not yet been allocated or assigned to any entity or resource member.

 

I will quote for you section 2.0 of the proposal as written below;

 

2.0 Summary of how this proposal addresses the problem


This proposal instructs AFRINIC to create ROAs for all unallocated and unassigned address space under its control. This will enable networks performing RPKI-based BGP Origin Validation to easily reject all the bogon announcements covering resources managed by AFRINIC.

 

So what are you talking about?

 

Noah 

 



_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
_______________________________________________
RPD mailing list
RPD at afrinic.net
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.afrinic.net%2Fmailman%2Flistinfo%2Frpd&data=02%7C01%7C%7Ca48324a7026842948aff08d85abbfbd8%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637359110720510827&sdata=jlnsXCK7dATX4Jcg48%2BhurUnj1E5umTa2RZq7IMsb%2Fs%3D&reserved=0

 

_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd



_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd
-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd

_______________________________________________ RPD mailing list RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd 



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200917/f31f0f7d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6411 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200917/f31f0f7d/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2164 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20200917/f31f0f7d/attachment-0001.png>